openssl s_client -connect images.dev.homlish.net:443 2>&1 < /dev/null | sed -n '/-----BEGIN/,/-----END/p' > www.pem
openssl x509 -noout -text -in www.pem | grep -A 4 ‘X509v3 CRL Distribution Points’
to check crl, do this from the outside to make sure nginx isn’t in the way
let’s encrypt, it’s 5 AM and what a rabbit hole
I used this guide: https://raymii.org/s/articles/OpenSSL_manually_verify_a_certificate_against_a_CRL.html
# www.homlish.net
openssl s_client -connect www.homlish.net:443 2>&1 < /dev/null | sed -n '/-----BEGIN/,/-----END/p' > www.pem
openssl x509 -noout -text -in www.pem | grep -A 4 ‘X509v3 CRL Distribution Points’
# that didn’t provide the CRL Distribution Points.
openssl x509 -noout -text -in www.pem | grep -A 4 ‘CA Issuers’
# that gave me:
CA Issuers – URI:http://r3.i.lencr.org/
wget -O ca.der http://r3.i.lencr.org/
openssl crl -inform DER -in ca.der -outform PEM -out ca.pem
# that didn’t work, perhaps: X509 certificates have CRL distribution points, not a built-in CRL
Since www.homlish.net is a let’s encrypt cert we’ll need to gather the entire chain
openssl s_client -connect www.homlish.net:443 -showcerts 2>&1 < /dev/null
# do this to see the chain.
openssl s_client -connect www.homlish.net:443 -showcerts 2>&1 < /dev/null
# we're looking for all the pieces EXCEPT 0. I see two pieces in the chain
# use this to gather the chain into www-chain.pem
OLDIFS=$IFS; IFS=':' certificates=$(openssl s_client -connect www.homlish.net:443 -showcerts -tlsextdebug -tls1 2>&1 &1 < /dev/null | sed -n '/-----BEGIN/,/-----END/p' > images.pem
openssl x509 -noout -text -in images.pem | grep -A 4 ‘X509v3 CRL Distribution Points’
wget -O crl.der http://www.homlish.net/ssl/homlishCA.crl
openssl crl -inform DER -in crl.der -outform PEM -out crl.pem